Understanding roles and permissions in Dashboard Designer

You use PerformancePoint Monitoring Server to create, edit, and deploy dashboards to sites that use Windows SharePoint Services or Office SharePoint Server 2007. When you deploy dashboards, you must have certain permissions assigned in Monitoring Server and other servers, depending on which dashboard elements you create. In addition, your dashboard users must have certain permissions to view and use your dashboard elements.

When you understand how roles and permissions affect dashboard elements, you can use roles to control how dashboard authors and dashboard consumers use the elements that you create.

What do you want to do?


Learn more about roles and permissions

In order to create, edit, or view dashboard elements, you must have certain permissions. You derive those permissions from the role that is assigned to you at the user level in Monitoring Server, and at the element level in Dashboard Designer. The following table describes those roles and what affect each role has.

 Note   If a given element has no permissions assigned to it, then all users have full access to it. For example, if you create a report in Dashboard Designer and publish it to Monitoring Server without assigning any Editor or Reader permissions to it, then all other Dashboard Designer users can view it.

This role assigned here has this effect
Administrator Monitoring Server
  • Applies permissions at the user level.
  • Enables users to create, edit, delete, or publish all dashboard elements.
  • Enables users to view all dashboard elements, regardless of the permissions assigned to a particular element.
  • Enables users to assign roles to other users.
Creator Monitoring Server
  • Applies permissions at the user level.
  • Enables users to create reports, key performance indicators (KPIs), scorecards, and indicators, but not data sources.
  • Enables users to publish reports, KPIs, scorecards, and indicators.
  • Enables users who have Editor permissions for a given set of elements in Dashboard Designer to delete those elements.
Data Source Manager Monitoring Server
  • Applies permissions at the user level.
  • Enables users to create, edit, delete, or publish data sources.
  • Does not enable users to grant additional permissions to other users.
Power Reader Monitoring Server
  • Applies permissions at the user level.
  • Enables users to view elements that have been published.
  • Overrides the Reader permissions that are assigned at the element level in Dashboard Designer, so that users who have Power Reader permissions can view all published elements.
  • Does not enable users to create, edit, delete, or publish elements.
Editor Dashboard Designer
  • Applies permissions at the element level.
  • Enables users to create, edit, delete, or publish dashboard elements, provided that Creator and/or Data Source Manager permissions are also assigned to those users in Monitoring Server.
Reader Dashboard Designer
  • Applies permissions at the element level.
  • Enables dashboard authors and dashboard consumers to view dashboard elements, provided that any dependent elements have Reader permissions as well.
  • Does not enable dashboard authors to create, edit, delete, or publish elements.

 Note   Dashboard elements that consist of other elements are called dependent elements. For example, a scorecard is a dependent element because it consists of one or more KPIs, which are another type of dashboard element. In addition, the KPIs are dependent elements because they consist of indicators, which are yet another type of dashboard element, and so on. Make sure that you assign the appropriate permissions to users for all your dashboard elements, including any dependent elements.

Depending on the dashboard elements that you create or use, you might require additional roles and permissions on other servers. For example, when you create a data source connection to a data cube in SQL Server 2005 Analysis Services, you must have at least Read permissions assigned to you in Analysis Services. And, when you include a SQL Server 2005 Reporting Services report in your dashboard, you must have at least Read permissions assigned to you on the Reporting Services report server.

Your dashboard consumers must also have Read permissions on the appropriate servers to view data in the reports and scorecards that you include in your dashboards. The roles and permissions described in the table apply only to Monitoring Server and Dashboard Designer. We highly recommend that you Get more information about security and roles.

Top of Page Top of Page

Understand how roles and permissions affect users

The roles and permissions that are assigned in Monitoring Server and Dashboard Designer affect what you and other users can do with dashboard elements.

For example, you must have Creator permissions in Monitoring Server to create a report in Dashboard Designer. When you create and publish your report, you automatically have Editor permissions for that report in Dashboard Designer.

When you have Editor permissions for a report, you can assign Editor permissions to other users to enable them to modify your report. Or, you can assign Reader permissions to other users to enable them to view, but not modify, your report.

Finally, in order for dashboard consumers to view your report, they must have Reader permissions for the report in Dashboard Designer and Read permissions on the server hosting the data that you display in the report.

How roles in Dashboard Designer affect users

The roles that you and other dashboard authors associate with individual elements in Dashboard Designer enable you to control what other users can do with those elements.

ShowExample: Use Reader permissions to control who can view a scorecard

Suppose that you create and deploy dashboards in your organization. Suppose further that you want to control who can view certain elements, such as scorecards. In fact, you have created several different scorecards for your sales team. The scorecards you created for the sales managers do not contain the information that is of interest to the individual sales representatives. Similarly, the scorecards that you created for the individual sales representatives do not contain the level of detail that your sales managers want. To control who views which scorecards, you assign Reader permissions to the sales manager for their scorecards, but not to the individual sales representatives. And, you assign Reader permissions to the sales representatives for their scorecards, but not to the sales managers. That way, when you deploy all the scorecards in your dashboards, your sales managers and sales representatives see only the scorecards that contain the information that they want to see.


Permissions have a cascading effect in Monitoring Server. For example, if you assign Reader permissions to dashboard consumers for one or more key performance indicators (KPIs), but you do not assign those permissions for a scorecard that uses those KPIs, then your dashboard consumers will not be able to see the scorecard. In addition, if you assign Reader permissions for a report, such as a Reporting Services report, but your dashboard consumers do not have Reader permissions assigned in the Reporting Services report server, they will not be able to see the report. Make sure that your dashboard consumers have the appropriate permissions assigned for all the dashboard elements that you want them to view.

 Note   For more information about how to assign or edit permissions for an element, see Create or edit properties in Dashboard Designer.

How roles in other servers affect users

You and other Monitoring Server users typically have multiple roles that are assigned to you in various servers that host the data that you use in your dashboards. Each role affects the way you interact with a particular server. For example, you might have a Database role on a server that hosts SQL Server 2005 Analysis Services data and a Creator role in Monitoring Server. Together, those roles enable you to create reports in Dashboard Designer that display the Analysis Services data. In contrast, you might have a completely different Database role assigned to you on a different server that hosts SharePoint lists that are used in other reports in Dashboard Designer.

The roles that are assigned on a server carry certain permissions for that server. A role on one server does not necessarily apply to other servers. For example, the Creator role in Monitoring Server enables Dashboard Designer users to create elements, such as reports, KPIs, scorecards, indicators, dashboard pages, and filters. But those permissions apply only to Monitoring Server, and not to other servers that might host the data that those dashboard elements use. And, although the Database role in Analysis Services enables a user to view objects, such as dimensions and members, that same role does not automatically ensure that a dashboard author can create a data source in Dashboard Designer. The appropriate permissions must be assigned to users on all the servers that are associated with dashboard elements.

Top of Page Top of Page

Get more information about security and roles

For more information about security and roles, see the following resources:


Monitoring Server roles and security

Plan site and content security

Security Considerations for SQL Server

Plan Excel Services security


Top of Page Top of Page